Around RSA

Tales from the Black Hat NOC: I'll Show You Mine, We Can Already See Yours

Jul 30, 2016 | by Scott Carter |

With the start of Black Hat 2016 merely a day away, white, black, and grey hats from around the world are whetting their appetites - eagerly waiting to show off and consume the fruit of an entire year's research. Whether for education, research, bragging rights, or mal-intent, the Black Hat network will host anything from basic brute force attacks to the most sophisticated 0-day proof of concepts in volumes not seen anywhere else in the world.

With this level of network chaos forecasted for the next six days, a sophisticated visibility solution is required to gain insite and ensure the conference runs smoothly. And that is exactly what RSA's Blackhat NOC volunteers are in the process of installing.

The RSA NetWitness Platform will provide full packet capture and session reconstruction, log aggregation, and automated analysis for the 2-4Gbps traversing the Black Hat network. Essentially, the Black Hat NOC is getting a very shiny flashlight for a very dark network. The NOC analysts, many of whom are RSA volunteers, will use the solution to identify and understand potential attacks against the Black Hat infrastructure over the course of the conference. Just think of it as the NOC team looking over your shoulder, in a reassuring, non-creepy kinda way.

So, to all the hackers and crackers out there... since we will be seeing your work over this next week, we figured it's only fair to show you ours.

Black Hat Network Scope

Black Hat Network Scope:

  • Average input: 2-4 Gbps
  • Input spikes: 10Gbps
  • Retention: 7 days

RSA NetWitness Platform:

  • High performance storage: 190TB
  • Automated executable analysis
  • Layer 2-7 parsing and application layer reconstruction
  • Log ingestion and SIEM functionality
  • Combined network session + log correlation

Happy hunting everybody - let the games begin!

Sincerely, your Black Hat NOC Volunteers

RSA NetWitness Platform